×
INTELLIGENT WORK FORUMS
FOR COMPUTER PROFESSIONALS

Log In

Come Join Us!

Are you a
Computer / IT professional?
Join Tek-Tips Forums!
  • Talk With Other Members
  • Be Notified Of Responses
    To Your Posts
  • Keyword Search
  • One-Click Access To Your
    Favorite Forums
  • Automated Signatures
    On Your Posts
  • Best Of All, It's Free!
  • Students Click Here

*Tek-Tips's functionality depends on members receiving e-mail. By joining you are opting in to receive e-mail.

Posting Guidelines

Promoting, selling, recruiting, coursework and thesis posting is forbidden.

Students Click Here

How do I remove the Fake SCANDISK virus
2

How do I remove the Fake SCANDISK virus

How do I remove the Fake SCANDISK virus

(OP)
Hi,
One of my users "got a message says they needed to upgrade their antivirus, so clicked on the the Popup". DOH,.. and how has the the Fake scandisk Virus.
I maged to get rid of most of it, but after a reboot,the files appear again.
These files ar c:\windows\system32\xloadg66.dll,c:\users\USERNAME\AppData\Roaming\xloadg66.dll, c:\users\USERNAME\Appdata\Roaming\Windows\Startup\Scandiskg66.dll,c:\users\USERNAME\Appdata\Roaming\Windows\Startup\scandisk.lnk.
In MSCONFIG, there are startup reg values that, when I disable them, reactivate themselfs.
When I run regedit and manually delete the keys under RUN, they re-appear straight away.
Run32dll.exe is running (with xloadg66.dll) and I'm unable to stop it (even as admin).
From another PC, I can connect to the the pc's c$ and delete the files, but as soon as the the user logs in again, the files appeer.
SO,... the obvously a rouge service, exe, batch files that I can find running on start up that keeps re-infecting this PC.
AVG is run and "removes files on reboot", but they come back.
Same thing happens using malwarebytes and spybot.

PLEASE....does anyone know what I missing, or a free prog to delete the re-infecting element ?

If more info is needed, LEt me know and I will supply.

Cheers

RE: How do I remove the Fake SCANDISK virus

There is a service running whose sole purpose is to reinstall those programs when you delete them.

You might try killing system restore, then reboot to safe mode and run microsoft's anti-malware.

These for starters.

 

Ed Fair
Give the wrong symptoms, get the wrong solutions.

RE: How do I remove the Fake SCANDISK virus

1. MalwareByte's Anti-Malware if the above doesn't work
2.  Combofix if nothing else works.

Keep system restore until after removing malware.  Then turn off system restore, reboot, turn on again.

Better safe than sorry with S.R.  If you whack them before malware removal and there's a big problem, you can't use them.  I know there's a philosophical difference about whether to remove them ahead of malware removal or after.  I always do it after.

RE: How do I remove the Fake SCANDISK virus

(OP)
goombawaho - BRILLANT. Thank you. Virus eradicated and "tale Tale" signs of it being back (ie Xload etc) are not visable.

Thank you edfair for your advise and quick response, goombawaho's was easier to do remotely.

RE: How do I remove the Fake SCANDISK virus

I would definitely say NOT brilliant - that's my standard answer when anyone even whispers the word malware.  But, glad you got it fixed and thanks for the star.  I be lovin' them stars.

Red Flag This Post

Please let us know here why this post is inappropriate. Reasons such as off-topic, duplicates, flames, illegal, vulgar, or students posting their homework.

Red Flag Submitted

Thank you for helping keep Tek-Tips Forums free from inappropriate posts.
The Tek-Tips staff will check this out and take appropriate action.

Reply To This Thread

Posting in the Tek-Tips forums is a member-only feature.

Click Here to join Tek-Tips and talk with other members! Already a Member? Login

Close Box

Join Tek-Tips® Today!

Join your peers on the Internet's largest technical computer professional community.
It's easy to join and it's free.

Here's Why Members Love Tek-Tips Forums:

Register now while it's still free!

Already a member? Close this window and log in.

Join Us             Close